rule SUSP_ThemeBleed_Theme_Sep23 {
    meta:
        description = "Detects domain or IP placement in Windows theme files"
        author = "@m_haggis, @nas_bench"
        date = "2023-09-13"
        reference = "https://github.com/gabe-k/themebleed"
        score = 75

        id = "76d0042b-655d-5d03-bcc4-150ebc92eb43"
    strings:
        $s1 = /Path=\\\\[0-9a-zA-Z\.-]{1,20}\\/
        $s2 = "[VisualStyles]"
        $s3 = "[Theme]"

    condition:
        filesize < 1MB and all of them
}
